ENG-2494 - Connection error using Snowflake Private Key auth (#7294)

vcruces · vcruces · commit 7c408d9d1340 · 2026-02-03T11:09:29.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -75,6 +75,7 @@ Changes can also be flagged with a GitHub label for tracking purposes. The URL o
 - Fixed monitor filter state syncing [#7239](https://github.com/ethyca/fides/pull/7239)
 - Fixed GPC and automated consent being evaluated after FidesInitialized fires [#7222](https://github.com/ethyca/fides/pull/7222)
 - Added FidesLocaleUpdated event to FidesJS to notify when a user changes the language [#7234](https://github.com/ethyca/fides/pull/7234)
+- Fixed Snowflake connection failing when using private key authentication without passphrase [#7294](https://github.com/ethyca/fides/pull/7294)
 
 ### Removed
 - Removed cypress-e2e test suite and associated GitHub workflow [#7193](https://github.com/ethyca/fides/pull/7193)
diff --git a/src/fides/api/service/connectors/snowflake_connector.py b/src/fides/api/service/connectors/snowflake_connector.py
@@ -54,19 +54,27 @@ def get_connect_args(self) -> Dict[str, Any]:
         connect_args: Dict[str, Union[str, bytes]] = {}
         if config.private_key:
             config.private_key = config.private_key.replace("\\n", "\n")
-            connect_args["private_key"] = config.private_key
-            if config.private_key_passphrase:
-                private_key_encoded = serialization.load_pem_private_key(
-                    config.private_key.encode(),
-                    password=config.private_key_passphrase.encode(),  # pylint: disable=no-member
-                    backend=default_backend(),
-                )
-                private_key = private_key_encoded.private_bytes(
-                    encoding=serialization.Encoding.DER,
-                    format=serialization.PrivateFormat.PKCS8,
-                    encryption_algorithm=serialization.NoEncryption(),
-                )
-                connect_args["private_key"] = private_key
+
+            # Determine password (None if no passphrase)
+            password = (
+                config.private_key_passphrase.encode()
+                if config.private_key_passphrase
+                else None
+            )
+
+            # Load and convert the private key to DER/PKCS8 format
+            # This is required by Snowflake connector regardless of passphrase
+            private_key_encoded = serialization.load_pem_private_key(
+                config.private_key.encode(),
+                password=password,
+                backend=default_backend(),
+            )
+            private_key = private_key_encoded.private_bytes(
+                encoding=serialization.Encoding.DER,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption(),
+            )
+            connect_args["private_key"] = private_key
         return connect_args
 
     def query_config(self, node: ExecutionNode) -> SnowflakeQueryConfig:
